Write-up of the HTB OutBound machine: exploit Roundcube 1.6.10 (CVE-2025-49112) for RCE and gain www-data in Docker. Priv-esc via password reuse, DB creds, and decrypting stored data to access Jacob and SSH. Final root via abusing sudo-allowed below by symlinking its log to /etc/group to add user to sudo.

Writeup for HTB’s Artificial machine, covering enumeration, exploiting a TensorFlow deserialization flaw for initial RCE, cracking weak MD5 hashes to pivot to user gael, abusing Backrest backups via bcrypt credential cracking and port forwarding, then restoring snapshots to retrieve root’s SSH key for full compromise.

TwoMillion exposes several vulnerabilities: an exposed invite-code mechanism for initial access, insecure API endpoints that allowed privilege escalation by granting admin rights, an admin endpoint vulnerable to command injection (RCE), exposed database credentials used to pivot to a user account, and a local kernel exploit enabling full root escalation.